This is an automated email from the ASF dual-hosted git repository. jfthomps pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/vcl-site.git
commit 6aaa8522c358f57a6647290cd97e7f976d80d528 Author: Josh Thompson <[email protected]> AuthorDate: Thu Mar 20 12:31:42 2025 -0400 security.html: -updated download link in left menu -updated copyright year -added section for CVE-2024-53679 -added section for CVE-2024-53678 -reordered sections for CVEs from 2018 so they are in descending order --- content/security.html | 96 ++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 76 insertions(+), 20 deletions(-) diff --git a/content/security.html b/content/security.html index c46160a..2b9c0ec 100644 --- a/content/security.html +++ b/content/security.html @@ -2,7 +2,6 @@ <html> <head> - <link href="/css/vcl.css" rel="stylesheet" type="text/css"> <link href="/css/code.css" rel="stylesheet" type="text/css"> <title>Apache VCL - Apache VCL Security</title> @@ -26,7 +25,7 @@ <ul> <li><a href="/info/features.html">Features</a></li> <li><a href="/info/architecture.html">Architecture</a></li> -<li><a href="/downloads/download.cgi">Download</a></li> +<li><a href="/downloads/download.html">Download</a></li> <li><a href="http://www.apache.org/licenses/";>License</a></li> <li><a href="http://www.apache.org/security/";>Security</a></li> </ul> @@ -86,7 +85,65 @@ issues. If you discover any potential vulnerabilities in Apache VCL, please repo <h2 id="known-security-issues">Known Security Issues</h2> <p>Here is a list of known security issues with Apache VCL along with the versions affected, versions in which they were fixed, and information on patching vulnerable versions.</p> -<h3 id="cve-2018-11772">CVE-2018-11772</h3> +<h3 id="cve-2024-53679">CVE-2024-53679</h3> +<ul> +<li> +<p>Announced: March 20th, 2025</p> +</li> +<li> +<p>Affected versions: versions 2.1 through 2.5.1</p> +</li> +<li> +<p>Fixed in version: 2.5.2</p> +</li> +<li> +<p><a href="/patches/patching-CVE-2024.html">Installing patches</a></p> +</li> +<li> +<p>Problem type: XSS attack</p> +</li> +<li> +<p>Description:</p> +<p>Apache VCL versions 2.1 through 2.5.1 do not properly validate data entered into the User +Lookup form on the site. A user with sufficient rights to be able to view this part of the +site can craft a URL or be tricked in to clicking a URL that will give a specified user +elevated rights. Access to the User Lookup part of the site is typically only granted to +administrative users which should help limit who can exploit this vulnerability. However, +all VCL systems running versions earlier than 2.5.2 should be upgraded or patched. +This vulnerability was found and reported to the Apache VCL project by Chiencp and Nothing +from TeamTonTac</p> +</li> +</ul> +<h3 id="cve-2024-53678">CVE-2024-53678</h3> +<ul> +<li> +<p>Announced: March 20th, 2025</p> +</li> +<li> +<p>Affected versions: versions 2.2 through 2.5.1</p> +</li> +<li> +<p>Fixed in version: 2.5.2</p> +</li> +<li> +<p><a href="/patches/patching-CVE-2024.html">Installing patches</a></p> +</li> +<li> +<p>Problem type: SQL injection</p> +</li> +<li> +<p>Description:</p> +<p>Apache VCL versions 2.2 through 2.5.1 do not properly validate data submitted in the Block +Allocation request form. Users can modify form data submitted when requesting a new Block +Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT +statement is not viewable by the attacker. However, this can still be used to gain some +knowledge of data in the database. Any user with an account on a VCL system has access to submit +this form. All VCL systems running versions earlier than 2.5.2 should be upgraded or patched. +This vulnerability was found and reported to the Apache VCL project by Chiencp and Nothing +from TeamTonTac</p> +</li> +</ul> +<h3 id="cve-2018-11774">CVE-2018-11774</h3> <ul> <li> <p>Announced: July 29th, 2019</p> @@ -101,16 +158,16 @@ in which they were fixed, and information on patching vulnerable versions.</p> <p><a href="/patches/patching-CVE-2018.html">Installing patches</a></p> </li> <li> -<p>Problem type: SQL injection</p> +<p>Problem type: SQL Injection</p> </li> <li> <p>Description:</p> -<p>Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what -node (if any) was previously selected in the privilege tree. The cookie data is then used in an -SQL statement. This allows for an SQL injection attack. Access to this portion of a VCL system -requires admin level rights. Other layers of security seem to protect against malicious attack. -However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. -This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.</p> +<p>Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and +removing VMs to and from hosts. The form data is then used in SQL statements. This allows for +an SQL injection attack. Access to this portion of a VCL system requires admin level rights.<br> +Other layers of security seem to protect against malicious attack. However, all VCL systems +running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was +found and reported to the Apache VCL project by ADLab of Venustech.</p> </li> </ul> <h3 id="cve-2018-11773">CVE-2018-11773</h3> @@ -141,7 +198,7 @@ should be upgraded or patched. This vulnerability was found and reported to the project by ADLab of Venustech.</p> </li> </ul> -<h3 id="cve-2018-11774">CVE-2018-11774</h3> +<h3 id="cve-2018-11772">CVE-2018-11772</h3> <ul> <li> <p>Announced: July 29th, 2019</p> @@ -156,16 +213,16 @@ project by ADLab of Venustech.</p> <p><a href="/patches/patching-CVE-2018.html">Installing patches</a></p> </li> <li> -<p>Problem type: SQL Injection</p> +<p>Problem type: SQL injection</p> </li> <li> <p>Description:</p> -<p>Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and -removing VMs to and from hosts. The form data is then used in SQL statements. This allows for -an SQL injection attack. Access to this portion of a VCL system requires admin level rights.<br> -Other layers of security seem to protect against malicious attack. However, all VCL systems -running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was -found and reported to the Apache VCL project by ADLab of Venustech.</p> +<p>Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what +node (if any) was previously selected in the privilege tree. The cookie data is then used in an +SQL statement. This allows for an SQL injection attack. Access to this portion of a VCL system +requires admin level rights. Other layers of security seem to protect against malicious attack. +However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. +This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.</p> </li> </ul> <h3 id="cve-2013-0267">CVE-2013-0267</h3> @@ -197,13 +254,12 @@ privileges.</p> </li> </ul> - </div> <div id="footer"> <div class="copyright"> <p> - Copyright © 2020 The Apache Software Foundation, Licensed under + Copyright © 2025 The Apache Software Foundation, Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache License, Version 2.0</a>. <br /> Apache and the Apache feather logo are trademarks of The Apache Software Foundation.
